Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-40451
Publication date:
22/04/2026
DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user.
Severity CVSS v4.0: MEDIUM
Last modification:
22/04/2026

CVE-2026-6834
Publication date:
22/04/2026
The a+HRD developed by aEnrich has a Missing Authorization vulnerability, allowing authenticated remote attackers to arbitrarily read database contents through a specific API method.
Severity CVSS v4.0: HIGH
Last modification:
22/04/2026

CVE-2026-6835
Publication date:
22/04/2026
The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result in a XSS-like effect.
Severity CVSS v4.0: MEDIUM
Last modification:
22/04/2026

CVE-2026-6833
Publication date:
22/04/2026
The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
Severity CVSS v4.0: HIGH
Last modification:
22/04/2026

CVE-2026-41458
Publication date:
22/04/2026
OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.
Severity CVSS v4.0: HIGH
Last modification:
22/04/2026

CVE-2026-5398
Publication date:
22/04/2026
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process&amp;#39; session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.<br /> <br /> A malicious process can abuse the dangling pointer to grant itself root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-6386
Publication date:
22/04/2026
In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.<br /> <br /> The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-6392
Publication date:
22/04/2026
Tanium addressed an information disclosure vulnerability in Threat Response.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-6408
Publication date:
22/04/2026
Tanium addressed an information disclosure vulnerability in Tanium Server.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-6416
Publication date:
22/04/2026
Tanium addressed an uncontrolled resource consumption vulnerability in Interact.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2026

CVE-2026-41457
Publication date:
22/04/2026
OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.
Severity CVSS v4.0: MEDIUM
Last modification:
22/04/2026

CVE-2026-41146
Publication date:
22/04/2026
facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[""i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.
Severity CVSS v4.0: HIGH
Last modification:
22/04/2026
Subscribe to Vulnerabilities